Sophisticated AI-enabled phishing campaign targeting education and research

Jisc has alerted its members to a persistent and highly sophisticated phishing campaign currently targeting education and research institutions across the UK and internationally.

The campaign represents a significant escalation in threat actor capability, using AI-driven infrastructure and automated techniques to compromise accounts at scale.

Jisc’s cyber security incident response team (CSIRT) is currently supporting a high number of institutions affected by this widespread phishing activity, which has proven both persistent and successful.

Unlike traditional phishing campaigns that rely on static, manual scripts, this activity uses AI-driven infrastructure and multiple end-to-end automations, marking a notable shift in attacker sophistication and enabling rapid scaling and adaptation.

David Batho, director of security at Jisc says:

“We are urging members and customers to remain vigilant and to take immediate action where account compromise is identified.

“There is an active discourse on our cyber security community about related phishing campaigns with shared experiences from multiple institutions. I encourage any members who are not already part of that community to sign up as shared intelligence is a vital part of defence.

“We are also providing key mitigation advice as part of our communications with members to support further.”

Key mitigation advice

• Require multifactor authentication (MFA): implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats
• Leverage phishing-resistant authentication methods such as Microsoft Authenticator with passkey
• Only allow device code flow where necessary: Microsoft recommends blocking device code flow wherever possible
• Implement risky-user and risky-sign-in policies to automate responses to high-risk activity
• Configure anti-phishing policies: anti-phishing policies protect against phishing attacks by detecting spoofed senders, impersonation attempts, and other deceptive email techniques
• Configure Safe Links in Defender for Office 365: Safe Links scanning protects your organisation from malicious links that are used in phishing and other attacks. Safe Links can also enable high-confidence Device Code phishing alerts from Defender

Domain indicators identified from engagements and intelligence reports have been added to the Jisc protective domain name system (DNS) service, Janet Network Resolver (JNRS), which provides a layer of defence against attacks already observed by other institutions. As well as domains, all other relevant indicators are shared directly in Jisc’s cyber threat intelligence (CTI) sharing group enabling real-time ingestion and action within your own security protections.

Jisc members and customers are encouraged to speak to their relationship manager if they are not already utilising these services, which for many are included within their membership.